NetMeeting and Internet Communication
Applies To: Windows Server 2003 with SP1
This section provides information about:
The benefits of NetMeeting® conferencing software
Using NetMeeting in a managed environment
How NetMeeting communicates with sites on the Internet
How to control NetMeeting to limit the flow of information to and from the Internet
Benefits and Purposes of NetMeeting
NetMeeting conferencing software is a feature of Windows Server 2003 with Service Pack 1 (SP1) that enables real-time communication and collaboration over the Internet or an intranet. From a computer running the Windows 95, Windows 98, Windows NT® 4.0, Windows 2000, or Windows XP operating system, users can communicate over a network with real-time voice and video technology. Users can work together on virtually any Windows application, exchange or mark up graphics on an electronic whiteboard, transfer files, or use the text-based chat program.
NetMeeting helps small and large organizations take full advantage of their corporate intranet for real-time communication and collaboration. On the Internet, connecting to other NetMeeting users is made easy with Internet Locator Service (ILS), enabling participants to call each other from a dynamic directory within NetMeeting or from a Web page. Features include remote desktop sharing, virtual conferencing using Microsoft Outlook, security features, and the ability to embed the NetMeeting user interface in an organization’s intranet Web pages.
To learn more about the NetMeeting features, see "Microsoft NetMeeting 3 Features" on the Microsoft TechNet Web site at:
https://go.microsoft.com/fwlink/?LinkId=29175
Overview: Using NetMeeting in a Managed Environment
NetMeeting supports communication standards for audio, video, and data conferencing. NetMeeting users can communicate and collaborate with users of other standards-based, compatible products. They can connect by modem, Integrated Services Digital Network (ISDN), or local area network (LAN) using Transmission Control Protocol/Internet Protocol (TCP/IP). In addition, support for Group Policy in NetMeeting makes it easy for administrators to centrally control and manage the NetMeeting work environment.
You can use Active Directory directory service and Group Policy to configure NetMeeting to help meet your security requirements. You can also control the configuration of NetMeeting by using the NetMeeting Resource Kit. For more information about the NetMeeting Resource Kit, see "Alternate Methods for Controlling NetMeeting," later in this section.
NetMeeting components and features require that several ports be open from the firewall. For more information, see "NetMeeting and Firewalls," later in this section.
How NetMeeting Communicates with Sites on the Internet
NetMeeting provides an infrastructure for communication between network applications and services. In this infrastructure, NetMeeting is both an application and a platform for other applications or services. The components and services in NetMeeting provide real-time communication and collaboration over the Internet or an organization’s intranet.
NetMeeting audio and video conferencing features are based on the H.323 standard infrastructure, which enables NetMeeting to interoperate with other H.323 standards-based products. (H.323 is a standard approved by the International Telecommunication Union [ITU] that defines how audiovisual conferencing data is transmitted across networks.) NetMeeting data conferencing features are based on the T.120 infrastructure, enabling NetMeeting to interoperate with other T.120 standards-based products. (The T.120 standard is a suite of communication and application protocols developed for real-time, multipoint data connections and conferencing.)
Detailed information about the H.323 and T.120 standards is beyond the scope of this white paper. Further information can be found on the following sites.
For more information about the H.323 standard and NetMeeting, see Part 3, Chapter 11, "Understanding the H.323 Standard," in the NetMeeting 3.0 Resource Kit at:
For more information about the H.323 specification, see the Web sites of the International Telecommunication Union (ITU) and the International Multimedia Telecommunications Consortium (IMTC) at:
To learn more about the T.120 standard and NetMeeting, see Part 3, Chapter 10, "Understanding the T.120 Standard," in the NetMeeting 3.0 Resource Kit at:
For more information about the T.120 architecture, see the International Multimedia Teleconferencing Consortium (IMTC) Web site at:
(Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.)
NetMeeting Port Assignments
When you use NetMeeting to call other users over the Internet, several IP ports are required to establish the outbound connection. The following table describes the port numbers, their functions, and the resulting connection.
Port Assignments for NetMeeting
Port | Function | Outbound Connection |
---|---|---|
389 |
Internet Locator Service (ILS) |
TCP |
522 |
User Location Service (ULS) |
TCP |
1503 |
T.120 |
TCP |
1720 |
H.323 call setup |
TCP |
1731 |
Audio call control |
TCP |
1024 through 65535 (dynamic) |
H.323 call control |
TCP |
1024 through 65535 (dynamic) |
H.323 streaming |
Real-Time Transfer Protocol (RTP) over User Datagram Protocol (UDP) |
For more information about NetMeeting communication ports and firewall configuration topics, see Part 2, Chapter 4, "Firewall Configuration" in the NetMeeting 3.0 Resource Kit at:
https://go.microsoft.com/fwlink/?LinkId=36134
Controlling NetMeeting to Limit the Flow of Information to and from the Internet
You can configure NetMeeting by using Group Policy objects (GPOs) on servers running Windows Server 2003. (You can also control the configuration of NetMeeting by using the NetMeeting Resource Kit. For more information, see "Alternate Methods for Controlling NetMeeting," later in this section.)
This subsection includes information about the following topics:
NetMeeting and Group Policy
NetMeeting security
NetMeeting and firewalls
Establishing a NetMeeting connection with a firewall
Firewall limitations for NetMeeting
NetMeeting and Group Policy
Group Policy can be used to define the default NetMeeting configuration settings that will be automatically applied to users and computers. These settings determine which NetMeeting features and capabilities are available to a particular computer or to a particular group of users. Through the use of Group Policy you can enable, disable, or set configuration options for NetMeeting features or capabilities.
For additional information about Group Policy, see Appendix B: Resources for Learning About Group Policy.
You can use Group Policy to manage the following NetMeeting configuration options for users in your organization:
NetMeeting Group Policy setting for computers
NetMeeting Group Policy settings for users
Configuring NetMeeting Setting for Computers Through Group Policy
In Group Policy, the NetMeeting policy setting for computers is located in Computer Configuration\Administrative Templates\Windows Components\NetMeeting:
- Disable remote Desktop Sharing
For more information about how to use Group Policy to manage the NetMeeting computer setting, see "To Disable the NetMeeting Remote Desktop Sharing Feature Through Group Policy," later in this section.
Note
Group Policy settings for computers are applied when the operating system starts and during the periodic refresh cycle.
Configuring NetMeeting Settings for Users Through Group Policy
The Group Policy configuration options that apply to users include general NetMeeting settings, and settings for application sharing, audio and video, and the options page.
Configuring General NetMeeting Settings for Users Through Group Policy
In Group Policy, general NetMeeting policy settings for users are located in User Configuration\Administrative Templates\Windows Components\NetMeeting:
Enable Automatic Configuration: Configures NetMeeting to download settings for users each time it starts.
Disable Directory services: Disables the directory feature—users will not log on to a directory server when NetMeeting starts. Users will not be able to view or make calls using the NetMeeting directory.
Prevent adding Directory servers: Prevents the user from adding directory servers to the list of available directory servers they can use for placing calls.
Prevent viewing Web directory: Prevents the user from viewing directories as Web pages in a browser.
Set the intranet support Web page: Sets the Web address that NetMeeting will display when users choose the Online Support command from the NetMeeting Help menu.
Set Call Security options: Sets the level of security for outgoing and incoming NetMeeting calls.
Prevent changing Call placement method: Prevents the user from changing the way calls are placed, either directly or by means of a gatekeeper server.
Prevent automatic acceptance of Calls: Prevents the user from turning on automatic acceptance of incoming calls.
Allow persisting automatic acceptance of Calls: Sets automatic acceptance of incoming calls to be persistent.
Prevent sending files: Prevents users from sending files to others in a conference.
Prevent receiving files: Prevents users from receiving files from others in a conference.
Limit the size of sent files: Sets the maximum file size that can be sent to others in a conference.
Disable Chat: Disables the chat feature of NetMeeting.
Disable NetMeeting 2.x Whiteboard: Disables the NetMeeting 2.x Whiteboard feature. (The 2.x feature provides compatibility with earlier versions of NetMeeting only.)
Disable Whiteboard: Disables the whiteboard feature of NetMeeting.
Note
Group Policy settings for users are applied when a user logs on to the computer and during the periodic refresh cycle.
Configuring NetMeeting Application Sharing Settings Through Group Policy
Group Policy settings for the NetMeeting Application Sharing feature are located in User Configuration\Administrative Templates\Windows Components\NetMeeting\Application Sharing:
Disable application Sharing: Disables the NetMeeting application sharing feature completely. Users will not be able to host or view shared applications.
Prevent Sharing: Prevents users from sharing anything themselves. They will still be able to view shared applications or desktops from others.
Prevent Desktop Sharing: Prevents users from sharing their Windows desktop. They will still be able to share individual applications.
Prevent Sharing Command Prompts: Prevents the user from sharing command prompts. Enabling this prevents the user from inadvertently sharing applications, since command prompts can be used to start other applications.
Prevent Sharing Explorer windows: Prevents the user from sharing Windows Explorer windows. Enabling this prevents the user from inadvertently sharing applications, since Windows Explorer windows can be used to start other applications.
Prevent Control: Prevents users from allowing others in a conference to control what they have shared. Enabling this enforces a read-only mode whereby the other participants cannot change the data in the shared application.
Prevent Application Sharing in true color: Prevents users from sharing applications in true color, which uses more bandwidth.
Note
Group Policy settings for users are applied when a user logs on to the computer and during the periodic refresh cycle.
Configuring NetMeeting Audio and Video Settings Through Group Policy
Group Policy settings for NetMeeting audio and video are located in User Configuration\Administrative Templates\Windows Components\NetMeeting\Audio & Video:
Limit the bandwidth of Audio and Video: Configures the maximum bandwidth, specified in kilobytes per second, to be used for audio and video.
Disable Audio: Disables the audio feature of NetMeeting. Users will not be able to send or receive audio.
Disable full duplex Audio: Disables the full duplex audio mode. Users will not be able to listen to incoming audio while speaking into the microphone. Older audio hardware may not perform well when full duplex audio is enabled.
Prevent changing DirectSound Audio setting: Prevents the user from changing the DirectSound® audio setting. DirectSound has better audio quality, but earlier audio hardware may not support DirectSound.
Prevent sending Video: Prevents the user from sending video. Setting this option does not prevent the user from receiving video.
Prevent receiving Video: Prevents the user from receiving video. Setting this option does not prevent the user from sending video.
Note
Group Policy settings for users are applied when a user logs on to the computer and during the periodic refresh cycle.
Configuring NetMeeting Options Settings Through Group Policy
Group Policy settings for NetMeeting options are located in User Configuration\Administrative Templates\Windows Components\NetMeeting\Options Page. These settings correspond to elements of the NetMeeting Options page. To view this page, in NetMeeting, click Tools and then click Options. These Group Policy settings are as follows:
Hide the General page: Removes the General tab on the NetMeeting Options page.
Disable the Advanced Calling button: Disables the Advanced Calling button from the General page.
Hide the Security page: Removes the Security tab on the NetMeeting Options page.
Hide the Audio page: Removes the Audio tab on the NetMeeting Options page.
Hide the Video page: Removes the Video tab on the NetMeeting Options page.
Note
Group Policy settings for users are applied when a user logs on to the computer and during the periodic refresh cycle.
To learn about specific Group Policy settings that can be applied to computers running Windows Server 2003 SP1, see the Group Policy Settings Reference on the Microsoft Web site at:
https://go.microsoft.com/fwlink/?LinkId=29911
NetMeeting Security
The NetMeeting security architecture for data conferencing takes advantage of the existing, standards-compliant security features of Windows Server 2003 SP1 and Microsoft Internet Explorer. The NetMeeting security architecture utilizes a 40-bit encryption technology and has the following security features.
Password protection: This feature enables the user to create or participate in a meeting that requires a password to join. Password protection helps to ensure that only authorized users participate in a password-protected meeting. A password is also required to use the remote desktop sharing feature.
User authentication: This feature provides a way to verify the identity of a caller or meeting participant using a certificate.
Data encryption: This feature helps to protect data exchanged during a meeting so that it is not easily read by any unauthorized parties that may intercept the data. The 40-bit data encryption applies to the whiteboard and chat features, shared applications, and transferred files. Audio and video communications are not encrypted.
NetMeeting security features integrate with security in Windows Server 2003 SP1 and Internet Explorer in a variety of ways, including the following:
NetMeeting uses the NetMeeting private certificate store to provide personal certificates for user authentication and data encryption.
NetMeeting uses the Windows certificate store to maintain NetMeeting certificates.
NetMeeting uses Security Support Provider Interface (SSPI) functions to generate and process security tokens.
These security features can be implemented by an administrator or a NetMeeting user. Using the NetMeeting Resource Kit Wizard or Group Policy in NetMeeting, the administrator can enforce security settings that apply to all users. If allowed by the administrator, NetMeeting users can also select their own security settings in the NetMeeting user interface (UI) and change security settings for individual calls.
You can use the following sources to learn more about NetMeeting configuration and security topics.
For more information about the NetMeeting Resource Kit Wizard, see Part 2, Chapter 2, "Resource Kit Wizard" in the NetMeeting 3.0 Resource Kit at:
For more information about the security features available in NetMeeting, see Part 2, Chapter 5, “NetMeeting Security” in the NetMeeting 3.0 Resource Kit at:
NetMeeting and Firewalls
You can configure firewall components in a variety of ways, depending on your organization's specific security policies and overall operations. While most firewalls are capable of allowing primary (initial) and secondary (subsequent) Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) connections, it is possible that they are configured to support only specific connections based on security considerations. For example, some firewalls support only primary TCP connections, which some professionals view as the most reliable.
For NetMeeting multipoint data conferencing—program sharing, whiteboard, chat, file transfer, and directory access—your firewall only needs to pass through primary TCP connections on assigned ports. NetMeeting audio and video features require secondary TCP and UDP connections on dynamically assigned ports.
Note
NetMeeting audio and video features require secondary TCP and UDP connections. Therefore, when you establish connections through firewalls that accept only primary TCP connections, you are not able to use the audio or video features of NetMeeting.
Detailed firewall configuration procedures for NetMeeting are beyond the scope of this white paper. For more information about NetMeeting firewall connections, see Part 2, Chapter 4, "Firewall Configuration" in the NetMeeting 3.0 Resource Kit, particularly the section titled, "Establishing a NetMeeting Connection with a Firewall" at:
https://go.microsoft.com/fwlink/?LinkId=36134
Microsoft NetMeeting can be configured to work with an organization’s existing firewall security. Because of limitations in most firewall technology, however, few products are available that enable you to securely transport inbound and outbound NetMeeting calls containing audio, video, and data across a firewall. You should consider carefully the relative security risks of enabling different parts of a NetMeeting call in your firewall product. You must especially consider the security risks involved when modifying your firewall configuration to enable any component of an inbound NetMeeting call.
Some organizations have security or policy concerns that require them to limit how fully they support NetMeeting in their firewall configuration. These concerns are based on network capacity planning or weaknesses in the firewall technology being used. For example, security concerns might prohibit an organization from accepting any inbound or outbound flow of UDP data through the firewall. Because these UDP connections are required for NetMeeting audio and video features, disabling this function excludes audio and video features in NetMeeting for calls through the firewall. The organization can still use NetMeeting data conferencing features such as program sharing, file transfer, whiteboard, and chat for calls through the firewall by allowing only TCP connections on ports 522 and 1503.
For more information about NetMeeting firewall security, see the section titled "Security and Policy Concerns," in the chapter of the NetMeeting Resource Kit from the previous link (scroll through the chapter until you find the section).
Establishing a NetMeeting Connection with a Firewall
When you use NetMeeting to call other users over the Internet, several IP ports are required to establish the outbound connection.
If you use a firewall to connect to the Internet, it must be configured so that the following IP ports are not blocked:
TCP ports 389, 522, 1503, 1720, and 1731
TCP and UDP ports (1024 through 65535)
To establish outbound NetMeeting connections through a firewall, the firewall must be configured to do the following:
Pass through primary TCP connections on ports 389, 522, 1503, 1720, and 1731.
Pass through secondary TCP and UDP connections on dynamically assigned ports (1024 through 65535).
The H.323 call setup protocol dynamically negotiates a TCP port for use by the H.323 call control protocol. Also, both the audio call control protocol and the H.323 call setup protocol dynamically negotiate UDP ports for use by the H.323 streaming protocol, the Real-Time Transfer Protocol (RTP). In NetMeeting, two UDP ports are designated on each side of the firewall for audio and video streaming, for a total of four ports for inbound and outbound audio and video. These dynamically negotiated ports are selected arbitrarily from all ports that can be assigned dynamically.
NetMeeting directory services require either port 389 or port 522, depending on the type of server you are using. The Microsoft Internet Locator Service (ILS), which supports LDAP for NetMeeting, requires port 389. The Microsoft User Location Service (ULS), developed for NetMeeting 1.0, requires port 522.
Firewall Limitations for NetMeeting
Some firewalls cannot support an arbitrary number of virtual internal IP addresses, or cannot do so dynamically. With these firewalls, you can establish outbound NetMeeting connections from computers inside the firewall to computers outside the firewall, and you can use the audio and video features of NetMeeting. Users outside the organization cannot, however, establish inbound connections from outside the firewall to computers inside the firewall. Typically, this restriction is due to limitations in the network implementation of the firewall.
Note
Some firewalls are capable of accepting only certain protocols and cannot handle TCP connections. For example, if your firewall is a Web proxy server with no generic connection-handling mechanism, you will not be able to use NetMeeting through the firewall.
You can use the following sources to learn more about NetMeeting configuration and firewall topics.
For more information about NetMeeting firewall connections, see Part 2, Chapter 4, "Firewall Configuration" in the NetMeeting 3.0 Resource Kit, particularly the section titled "Establishing a NetMeeting Connection with a Firewall" at:
For more information about using NetMeeting and your firewall, see article 158623, "How to Establish NetMeeting Connections through a Firewall" in the Microsoft Knowledge Base at:
Alternate Methods for Controlling NetMeeting
You can create customized installation options for specific users or groups within your organization by using the NetMeeting Resource Kit Wizard. Additionally, you can use the NetMeeting Resource Kit Wizard to control user and computer access rights by creating custom configurations of client settings and specific features that you have selected to restrict or allow. For example, you can control audio and video access, set data throughput limits and network speeds, and choose to display online support. The Resource Kit Wizard can also help you set up various configurations of NetMeeting for different types of users and different levels of security. It can help you save network bandwidth by restricting specific features. You can also use the Resource Kit Wizard both to change registry settings for all NetMeeting users and to implement such changes globally.
Note
By selecting certain options in the Resource Kit Wizard, be aware that you may be changing the NetMeeting user interface. For example, if you click Restrict the Use of Video, the Video tab does not appear in the NetMeeting user's Options dialog box.
Part 4 of the Resource Kit for NetMeeting has an appendix that provides detailed information about responding to NetMeeting problems, including problem descriptions, causes, and resolutions.
For more information about the NetMeeting 3.0 Resource Kit, see the Microsoft TechNet Web site at:
https://go.microsoft.com/fwlink/?LinkId=36134
Procedures for Configuring NetMeeting
NetMeeting is designed to enhance the enterprise environment and enable users to communicate internally and externally with other NetMeeting users. You can use Group Policy to develop a NetMeeting feature management policy to support the specific business rules or communication policies that exist within your organization. For example, your organization may not want users to be able to access or use the NetMeeting chat feature from their computers. By using Active Directory and Group Policy, you can disable the chat feature from any or all computers that are affected by the application of the Group Policy configuration settings.
For lists of Group Policy settings that you can use to manage NetMeeting configuration options, see "NetMeeting and Group Policy," earlier in this section.
Procedures for Managing NetMeeting Features Through Group Policy
This subsection provides procedures for the following configuration methods:
Locating the Group Policy objects (GPOs) for NetMeeting configuration settings. These are the settings listed in "NetMeeting and Group Policy," earlier in this section.
Disabling the NetMeeting remote desktop sharing feature. This prevents users from using this feature.
Disabling the NetMeeting advanced calling feature.
Disabling the NetMeeting chat feature.
To Locate the Group Policy Settings for NetMeeting User Configuration
As needed, see Appendix B: Resources for Learning About Group Policy, and then edit an appropriate GPO.
Click User Configuration, click Administrative Templates, click Windows Components, and then click NetMeeting.
View the Group Policy objects that are available. For more information about these objects, see "NetMeeting and Group Policy," earlier in this section.
To Disable the NetMeeting Remote Desktop Sharing Feature Through Group Policy
Use the following steps to configure the Group Policy setting to prevent users from using the NetMeeting remote desktop sharing feature.
As needed, see Appendix B: Resources for Learning About Group Policy, and then edit an appropriate GPO.
Click Computer Configuration, click Administrative Templates, click Windows Components, and then click NetMeeting.
In the details pane, double-click Disable remote Desktop Sharing.
Click Enabled.
Note
Group Policy settings for computers are applied when the operating system is initialized and during the periodic refresh cycle.
To Disable the NetMeeting Advanced Calling Feature Through Group Policy
Use the following steps to configure the Group Policy setting to disable the advanced calling feature on the NetMeeting options page.
As needed, see Appendix B: Resources for Learning About Group Policy, and then edit an appropriate GPO.
Click User Configuration, click Administrative Templates, click Windows Components, click NetMeeting, and then click Options Page.
In the details pane, double-click Disable the Advanced Calling button, and then click Enabled.
To Disable the NetMeeting Chat Feature Through Group Policy
Use the following steps to configure the Group Policy setting to prevent the use of the NetMeeting Chat feature.
As needed, see Appendix B: Resources for Learning About Group Policy, and then edit an appropriate GPO.
Click User Configuration, click Administrative Templates, click Windows Components, and then click NetMeeting.
In the details pane, double-click Disable Chat, and then click Enabled.
Note
Group Policy settings for users are applied when a user logs on to the computer and during the periodic refresh cycle.
Related Links
Web Resources
For more information about using NetMeeting and your firewall, see article 158623, "How to Establish NetMeeting Connections through a Firewall," in the Microsoft Knowledge Base at:
For more information about NetMeeting, see Windows NetMeeting on the Microsoft Web site at:
For more information about configuring NetMeeting, see the Windows NetMeeting Resource Kit on the Microsoft Web site at:
To learn more about NetMeeting features, see the Microsoft Web site at:
To view articles that explain how to use some of the features in NetMeeting, see the Microsoft NetMeeting How-to Guide on Microsoft Web site at:
For more information about the H.323 specification, search for “H.323” on the ITUT Web site at:
For more information about the T.120 architecture, see the International Multimedia Teleconferencing Consortium (IMTC) Web site at:
(Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.)
Printed References
For more information about firewall design, policy, and security considerations for firewall design in general, you can consult the following reference.
- Chapman, D. Brent and Elizabeth D. Zwicky. Building Internet Firewalls. O'Reilly & Associates, Inc., 1995.